指定你的访问要求Specify your access requirements

备注

本主题是更大的设计注意事项指南的一部分。This topic is part of a larger design considerations guide. 如果你希望从指南的开头开始,请查看主要主题If you'd like to start at the beginning of the guide, check out the main topic. 若要获取此完整指南的可下载副本,请访问 TechNet 库To get a downloadable copy of this entire guide, visit the TechNet Gallery.

无法使用应用或访问执行工作所需的公司数据的移动设备对你的员工没有用。A mobile device that can’t use apps or access company data that is needed to perform work isn’t useful for your employees. 因此了解数据将如何从源位置(本地或云)传送到移动设备很重要。So it’s critical to understand how the data will travel from the source location (on-premises or cloud) to the mobile device.

数据通过移动设备传送的潜在路径,以及应为每个路径考虑的注意事项。The data will travel to and from mobile devices, and the considerations that should be in place for each path. 许多采用安全策略的公司未考虑移动设备可能如何增加泄露公司数据的可能性。Many companies that have security policies in place haven’t considered how mobile devices can increase the likelihood that corporate data might be leaked. 因此请查看你的当前公司策略以确保你为身份验证、授权和访问控制所开发的要求符合业务要求。So review your current company policies to ensure that the requirements you develop for authentication, authorization, and access control are aligned with your business requirements.

回答以下问题以帮助确定移动设备的访问要求:Answer the following questions to help determine the access requirements for mobile devices:

  • 身份验证和授权:作为允许用户从移动设备访问公司数据的策略的一部分,你必须确定哪些用户有资格获得访问权限。Authentication and authorization: As part of the strategy to allow your users to access to company data from mobile devices, you must identify which users are eligible for access. 某些公司决定最初仅允许其部分用户访问数据,然后在其他员工根据业务需求发出请求时向其授予访问权限。Some companies decide to initially allow data access for just a portion of their users, and then grant access to other employees as they request it, based on business need. 若要限制访问,你的解决方案必须根据公司的策略进行身份验证(确认用户是其所声称的身份)和授权(评估用户是否应有权访问他们所请求的数据)。To restrict access, your solution must authenticate (identify that the user is who they claim to be) and authorize (evaluate if the user should have access to the data that they are requesting) according to your company’s policy.

在设计 MDM 解决方案时,请考虑以下事项:When designing your MDM solution, consider the following:

  • 你的组织是否有用于身份验证和授权的当前目录服务?Does your organization have a current directory service that is used for authentication and authorization?
    • 如果是,MDM 解决方案是否与你的目录服务集成以对资源访问进行身份验证和授权?If yes, does the MDM solution integrate with your directory service to authenticate and authorize access to resources?
    • 你的组织是否需要有集中式身份验证,或者是否可以混合?Does your organization need to have centralized authentication, or can it be hybrid?
    • 你的组织是否计划为移动用户执行多因素身份验证?Does your organization plan to have multi-factor authentication for mobile users?
    • 你的组织是否使用本地公钥基础结构 (PKI) 颁发证书?Does your organization use an on-premises Public Key Infrastructure (PKI) to issue certificates?
      • 如果是,MDM 解决方案是否具有使用数字证书执行身份验证的功能?If yes, does the MDM solution have the capability to perform authentication using digital certificates?
        • 如果是,MDM 解决方案是否具有与现有的本地 PKI 集成的功能?If yes, does the MDM solution have the capability to integrate with an existing on-premises PKI?
  • 你的组织是否需要使用当前目录服务来对访问第三方应用的用户进行身份验证?Does your organization need to use the current directory services to authenticate users accessing third party apps?
    • 如果是,MDM 解决方案是否允许用户使用单一登录 (SSO) 来针对第三方应用进行身份验证?If yes, does the MDM solution allow users to use single sign-on (SSO) to authenticate against third party apps?

访问控制:用户通过身份验证并获得授权后,访问资源的请求必须通过该用户的访问等级的验证。Access Control: Once a user is authenticated and authorized, requests for access to a resource must be validated with the level of access for the user. 此请求的资源可以是数据或应用。The requested resource can be data or an app. 在设计解决方案时,请考虑以下事项:When designing your solution, consider the following:

  • 你的公司是否需要有不同的控制级别,以便你管理移动设备和 MDM 解决方案?Does your company need to have different level of control for you to manage the mobile devices and the MDM solution?
    • 如果是,MDM 解决方案是否支持基于角色的访问控制 (RBAC)?If yes, does the MDM solution support Role Based Access Control (RBAC)?
  • 你的公司是否需要根据用户的位置具有不同的访问级别?Does your company need to have different levels of access according to the user’s location?
    • 如果是,MDM 解决方案是否允许你根据用户的位置创建访问控制限制?If yes, does the MDM solution allow you to create access control restrictions according to the user’s location?
  • 你的公司是否需要控制对应用的访问?Does your company need to control access to apps?
    • 如果是,MDM 解决方案是否允许你控制对安装在移动设备上的应用的访问?If yes, does the MDM solution allow you to control access to apps installed at the mobile device?
  • 你的公司是否需要根据一组条件控制访问?Does your company need to control access according to a set of conditions?
    • 如果是,MDM 解决方案是否允许你有条件访问控制?If yes, does the MDM solution allow you to have conditional access control?
    • 如果是,MDM 解决方案是否允许你根据用户的标识启用/禁用的应用程序的功能。If yes, does the MDM solution allow you to enable/disable application’s feature according to the user’s identity?
    • 如果是,MDM 解决方案是否允许你管理设备证明?If yes, does the MDM solution allow you to manage device attestation?

阅读从任何设备上的任何位置安全访问公司资源,更好地了解如何结合使用内置的 Windows Server 2012 R2 功能与 ConfigMgr 提供对你的公司资源的访问。Read the Secure access to company resources from any location on any device to better understand how to leverage built in Windows Server 2012 R2 capabilities in conjunction with ConfigMgr to provide access to your company resources.